Q&A: Paul Dorey on DLP, deperimeterisation

Paul Dorey is one of the pioneers of information security as a profession. He worked on early security measures at the investment bank Barclays PLC and has most recently been director of digital security for global oil company BP Corp., a role that he will relinquish at the end of this year.

He has advised governments on security, he sits on the European Advisory Board for ISC2, and is also an advisor to the European Network and Information Security Agency (ENISA). Dorey is also a founder member of the Jericho Forum and chairman of the fledgling Institute of Information Security Professionals (IISP).

Here he talks about some of the technological and professional challenges facing companies and people working in information security today.

There was a lot of talk about deperimeterisation when you launched the Jericho Forum five years ago, but has it delivered since?
Deperimeterisation is alive and well and in the lives of 18,000 people at BP. It gives you ease of use because all you need is Internet connectivity.

Deperimeterisation means you should be able to go to your corporate assets in the same way as you go to a banking website or Amazon. It should be something you just click on. You also want single sign on so you don't have one login for the HR system, and another for different departments.

Corporations who try it find it works like a dream because you don't have any of the problems that VPNs hit – such as breaking at the router. And because you're working through a browser, you don't to need to power up a special client. The advantage is that users don't need to keep going back into the corporate network. That is very powerful for an international company like BP – in Angola you don't want to have to connect into the UK to access information.

There are a couple of challenges. For example, it can take a while to get developers to architect applications so that they are Internet-facing.

Another challenge is protecting things held locally on your machine - how do you guarantee you have a trusted environment? But if you look inside the corporate perimeter, you have the same problem there, unless you have a tightly locked-down environment, which is hard to achieve. So how are you tackling data loss prevention?
The problem of control, given the huge proliferation of data, is significant. Instead of having 100 trained professionals protecting the data, you have 100,000 users with data on their machines.

You start by encrypting laptops, USB sticks, emails, then you have behavioural tools. Then you have digital rights management. So you need a whole portfolio of tools. The nice thing about an encrypted laptop is that it doesn't require any user intervention. But that only controls the container –as soon as you get into controlling content, then you need user intervention.

Traditional data classification is not very helpful – it puts things into layers of protection. But in the commercial world, everyone has their own definition of what top secret should mean.

That is why digital rights management is so powerful in concept. It means you can transmit the requirements of handling along with the document. So you can prevent the document from being printed, for example, or being shared.

In BP, we have a [DRM] pilot running. We are not sure of the scalability yet, but conceptually it is the right way to go. The document looks after itself, which is in line with the Jericho model.

It is best to present classifications to the user as a given. For example, if I want to write an appraisal note on someone, I would download a template from HR for an appraisal, which would be already defined as confidential. That is also the way we are beginning to work with third parties – they are starting to use a standard BP project template [which has DRM built in]. That protects the information and allows us to expire it and call it home from where it is if we need to. How have you managed outsourcing in the past?
We used to give all contractors computers with our own image on it as a way of managing it. But that proved too expensive and unhelpful. And it didn't help the contractor because he ended up with two machines.

We want them to work in a protected environment. One approach we are piloting is to give them a VM on a stick, so the BP environment comes up when they plug in, and goes away again when they unplug it.

You can lock the virtual machine so that you can only print to certain printers, and only save on certain network-attached drives. That is a powerful way of distributing a safe environment – but it is a cop-out really. Intelligent documents would be the best way to go, but that is something that will take around five years to become reality. Tell me about progress at the Institute of Information Security Professionals.
We've had all the glitz of the launch, and all the intellectual effort to produce the world's first competency-based security assessment. Now we are at the 'route-march' stage.

Corporations are increasingly looking to competency-based assessments for all their jobs, not just in security. In BP, we just went through an assessment of the entire IT population – I used the Institute to handle the security component of that. As a side-effect, those who got through the assessment got IISP membership as well. It was always about giving somebody a transferable assessment that would be more useful.

It took me a day and half to write up my own competencies – not a lot in a lifetime, but quite a lot in a week! So that's what I mean by route-march. I don't intend to do it again, I have applied for membership and I'll find out soon if they've passed me.

We now have seven corporations putting their teams through the fast track – a sort of 'sheep dipping ' exercise where an interviewing team from IISP turns up and interviews people for a couple of days. We are still in the low hundreds of members, and we have thousands to get through, but the pace has gone up and will increase as we acquire more members, and therefore more interviewers.

Initially we had a very small pool of people we could use, and they had to be assessors whose abilities would be unchallengeable – it was a boot-strap exercise. Now it is getting easier. Once someone becomes a member, they can apply to become an assessor. What else will the Institute do?
The role of the Institute is not only to declare the standard but to help people [meet the standard]. It will launch special development programmes starting next year. These will be a series of lectures, and definitions of types of activity people should be performing in order to broaden their experience. And it will encourage employers to take this on board as part of their development programmes.

We also have the idea of a logbook [to track career development] and we are also looking at 'semi-diplomas' for specialisms, and talking to a number of training providers about this.

We are also running a series of Top Gun exercises, where we have two teams of security professionals, one as attackers and the others defending. The first was in Manchester, and the next will be in London.

It is done as a desktop exercise over a whole day. The Blue Team is told the story of the company they work for, and its problems. There have been no security people before, so they have the task of securing it. The Red Team is told why the company is not liked and why there is a highly motivated team of people out to get them. Then the game begins. Both teams have to attack and defend to a budget.

The first one was fantastic. They debated in separate rooms how to operate with control teams telling them what they could or could not do, and then we drew them together to play out the scenario. It was a great way of getting them to understand how other people operate.

I was so impressed by the quality of work of both teams. The Blue Team came up with an idealised framework for the protection of the corporation, and they did it in a day. It was a superb piece of work. It shows what great professionals these people are.

The Institute is really attracting the cream of the profession. For instance, we have a job board where corporate members can publish vacancies. SOCA (the Serious Organised Crime Agency) advertised a job there recently, and said they didn't get one duff candidate apply. The quality of candidates was a factor of 10 or 20 times better than their general advertising campaign would yield.

Inevitably, some people will fail to be accredited and fail to make the grade. When that happens, we offer them a development programme. It is competency-based so we have a lot of data and can see the areas they need to strengthen. What are your plans after BP?
Well, there are lot of options, but I'm describing it as a 'boutique consultancy'. I really think there are some unsolved problems out there where we could really help.

Read more on Network security management